A Platform to Support XDR
Edward Amoroso, Tag Cyber | November 04, 2019
Let’s start with some conditionals: First, if you focus on indicators, then detection and response can be preventive (think about it). Second, if you substitute enterprise systems and devices for endpoints, then EDR evolves to XDR (AKA extended-DR). And third, if you have a great security platform, then managed service providers can become managed security service providers. These conditionals effectively introduce Stellar Cyber.
My friend and colleague Dave Barton, who serves as CISO for the company, stopped by our Fulton Street offices in New York recently to provide an update on their fine XDR platform for service providers and enterprise teams. Dave’s enthusiasm was infectious as usual – and I was happy to see Stellar Cyber using open detection and response as a key differentiator in the service provider platform marketplace. Here’s what I learned from Dave:
“At Stellar Cyber, we use automation, analytics, and rule-based systems to empower security analysts to drive open detection and response, also known as XDR,” he explained. “We provide a means for SOC teams to connect the dots on complex incidents, and to provide rapid detection and response to cyber-attacks. This is done through integration of dozens of apps into a modern platform solution with a feature-rich dashboard.”
The Stellar Cyber platform, called Starlight, is a software solution that can be installed into physical or virtual x86 servers on premise or public clouds. Starlight includes network sensors for data collection, agent sensors for Linux and Windows logs, container sensors to monitor containerized computing, deception sensors for trap functionality, virtual appliance sensors for KVM, VMWare, and Hyper-V, and data sensors for big data platforms.
Starlight is best understood through the phases of XDR it supports: Data is first captured through the extensive sensors mentioned above. All collected data is normalized into a Stellar data technology called Interflow, which is a JSON-formatted data record. “We enrich the sensor collected data with context,” Barton said, “which allows for effective fusion and interpretation of the available information.”
Collected data is processed by applications made available from a unique Stellar Cyber App Store. This allows analysts to select and download applications that support functions such as mapping known and unknown threats to the cybersecurity kill chain, and combining legacy technologies with advanced methods such as machine learning into highly effective means for detecting anomalous traffic and behaviors.
Starlight processing supports SOC analytics and threat hunting campaigns by allowing search and investigation of a massive dataset. “We liken the Starlight platform to having Google for incidents,” Barton explained. “And this really helps our enterprise and MSSP customers deal with all the known and unknown types of issues that come up on a day-to-day basis. Without smart automation, no SOC team can possibly keep up.”
Finally, Starlight enables response to incidents with support integrated tasks such as trouble ticket generation, case management, workflow support, automated reporting, and signaling to devices such as firewalls through APIs. The platform is open, so it combines easily with orchestration systems such as Phantom Cyber and Demisto. Teams can thus continue to use their endpoints, firewalls, and the like – and via APIs, the platform can ingest anything.
“We make our solution available through a large, global network of partners,” Barton explained. “We have presence in North, Central, and South America, as well as Switzerland, and many different points across Asia including Indonesia, Hong Kong, and Japan. This partner-first approach allows us to support local technical training, and to offer highly-customized value to provider and enterprise customers.”
If you run an MSSP or an enterprise SOC, then it makes sense to have a look at Stellar Cyber’s Starlight solution for Open XDR. Ask Dave Barton to show you the impressive dashboard interface (which looks super futuristic – see the picture at the top of this article), as well as the specification for Interflow. I think you’ll find the time well spent – and as always, please share here your learnings with all of us.